Human rights organization Amnesty International last week reported identifying a link between an Indian cybersecurity company and the infrastructure used by a hacking group in an attack that attempted to deliver Android and Windows spyware to an activist in the West African country of Togo.
In late 2019 and early 2020, ahead of the presidential elections in Togo, the Donot Team hacking group attempted to spy on a prominent Togolese human rights defender, but only managed to raise the victim’s suspicion.
Active since at least 2012 and also tracked as APT-C-35, and SectorE02, Donot Team is mainly known for its focus on targets in India, Pakistan, China, and other Asian countries. For the past couple of years, however, it has shifted focus to additional geographies, including Argentina, UAE, and the UK.
While this is the first reported Donot Team attack against an individual in West Africa, it is not the first cyberattack against activists in Togo, who have long been the target of shadowy cyber-mercenaries.
During their investigation into the cyberattack against a prominent Togolese activist, Amnesty International discovered a connection between Donot Team’s Android spyware and Innefu Labs Pvt. Ltd., an Indian cybersecurity company that claims to provide services to law enforcement.
“Amnesty International found two key pieces of evidence connecting Innefu Labs to the Donot Team Android spyware and to the specific infrastructure used to deliver the Android spyware to the HRD in Togo,” the human rights organization says.
On a Donot Team server, Amnesty International found a screenshot from an infected Android device that showed the use of a website used to send spyware to the Togolese activist and an IP address tied to Innefu Labs. Furthermore, the same IP address was found in a log file publicly exposed on said website.
Thus, the Innefu Labs IP address is linked to the infrastructure used for the distribution of Donot Team spyware in the attacks targeting the human rights activist in Togo, Amnesty International notes.
The organization also says that it has additional evidence that Innefu Labs is involved in the development of Donot Team spyware, although it’s unclear whether the Indian company was indeed involved in the targeting of the activist in Togo.
“The activity linked to the Donot Team may involve multiple distinct actors or organisations with access to the same custom spyware toolset. The identity of all individuals or groups involved with Donot Team activity is unknown,” Amnesty International explains.
Innefu Labs, however, has refuted Amnesty International’s allegations, saying it is in no manner connected to the Donot Team or the attack against the Togolese activist, and claiming that it was not aware of its IP address being used for said activities.
“There is no evidence to suggest Innefu Labs had a direct involvement or knowledge of the targeting of the human rights defender in Togo using the Donot Team spyware tools,” Amnesty International says.